ICT Access and Account Management Procedures

Policy Procedures ICT Access and Account Management Procedures

Print Friendly and PDFPrint Friendly

Intent

These Procedures have been developed to support the Information Communication Technology (ICT) Acceptable Use Policy and will further the intent of that Policy by:

  • Expressing the commitment of the University to maintaining secure, effective and reliable University ICT Services;
  • Governing the provision, maintenance and termination of accounts giving access to University ICT Services;
  • Outlining the provision, modification and removal of access to University ICT Services; and
  • Ensuring that the University provides its account holders with secure and timely access to the online services and resources necessary for undertaking their work and study.

Scope

These Procedures apply to all Authorised Users of the University ICT Services managed by the University or third party providers on behalf of the University, both on and off campus.

Definitions

Defined terms in the ICT Acceptable Use Policy have the same meaning in these ICT Access and Account Management Procedures.

Account means a user name or other identifier which, with or without a password, allows a user to access University ICT Services.

Asset Owner means an individual or collective group with accountability and authority for University ICT Services.

College/Directorate Representative means a person appointed by a College or Directorate whose role is to control use of University ICT Services allocated to their College or Directorate.

Delegate Account means an external account that is control by an account manager. The account manager can change the account's name, occupancy dates and password.

General Access Teaching Computer Facilities Labs (GATCF) means the computing labs and equipment provided by the University.

Generic Account means an Account that is not linked to personal identity (e.g. a University staff or student).

ICT News Bulletins means information supplied by ICT either by email, automatically output on a workstation or on the web-based University news boards.

Outside User means a person or organisation, external to the University.

Privileged System Access means access to administrative roles within operating systems, databases and applications, for example, root access in a Linux system.

Research DMZ means a portion of the network, built at or near the campus or laboratory's local network perimeter that is designed such that the equipment, configuration, and security policies are optimised for high-performance research applications rather than for general-purpose business systems or enterprise computing.

Table of Contents

  1. Creation of staff Accounts
  2. Creation of student Accounts
  3. Creation of external Accounts
  4. Creation of delegate Accounts
  5. Creation of staff administration secondary Accounts
  6. Requesting additional access
  7. Requesting generic Accounts
  8. Passwords
  9. Resetting forgotten passwords
  10. Modification of staff access when their relationship with the University changes
  11. Modification of student access when their relationship with the University changes
  12. Additional requirements for Information and Communications Technology staff
  13. Access reviews
  14. Suspending Accounts
  15. Disabling and deletion of student Accounts
  16. Disabling and deletion of staff Accounts
  17. Disabling and deletion of delegate and external Accounts
  18. Records management
  19. Contacts
  20. Related policy instruments
  21. Related legislation
  22. Administration

Introduction

These procedures are designed to support the operational nature of the ICT Acceptable Use Policy by providing detailed access management procedures.

University ICT Services are the property of the University.

Procedure

1. Creation of staff accounts

Hiring managers must:

  1. Complete the necessary hiring requisition using the Human Resources Information System (HRIMS).

    Information and Communications Technology will:

  2. Create a user network Account. All staff Accounts will be provided with access to University ICT Services including:
    1. University email;
    2. Wireless network access (eduroam);
    3. Corporate applications including MyHR Online, Staff Online, Cognos, Riskware and Fraedom; and
    4. Access to common file shares (where appropriate).
  3. Provide the Account details to the staff member or nominated supervisor.

Supervisors will:

  1. Show new staff how to change their password on first login.

2. Creation of student accounts

Information and Communications Technology will:

  1. Create student Accounts when the student is entered into the University system for the purpose of offering the student a place at the University.

    Prospective undergraduate and postgraduate students who have accepted offers will:

  2. Obtain the University computer account details (login, password and email address) from Get Started @ JCU. Students will need their 8 digit University student number, supplied to them by the University Admissions included in the letter of offer to a course to log in.
  3. Change their password on first login.

3. Creation of external accounts

External Accounts can be arranged for Outside Users, visiting academics, staff or students for the purpose of providing access to central systems, email and internet access. The External Account Form is used for a single user which will be at the University for an extended amount of time.

An External Account - User Registration Form must be completed and forwarded to the ICT Help Desk.

Information and Communications Technology will:

  • Create the external Account and notify the owner of the account of the Account details.

4. Creation of delegate accounts

Delegate Accounts are similar to external Accounts, however they allow staff members to have control over the occupancy of the Account. The Account manager can change the Account's name, occupancy dates, and password, via a web service. This is useful for allowing visiting academics, staff or students access to the central systems including internet access. The Delegate Account is usually used for users which are changing over short periods of time.

A Delegate Account Application Form must be completed and forwarded to the ICT Help Desk.

Information and Communications Technology will:

  • Create the Delegate Account and notify the owner of the account of the Account details.

5. Creation of staff administration secondary accounts

University staff or students, with Privileged System Access, must use an Account, separate from their standard user Account. The Account will have a naming convention suitable to allow for ease of identification.

Asset Owners will:

  • Create a secondary administrative Account for University staff or students with Privileged System Access in accordance with the ICT Least Privilege Guidelines.

6. Requesting additional access

Authorised Users can request additional access to University ICT Services, including file shares and applications. If a staff member requires a level of access different to that usually given to people in their relevant area, their Dean of College or Director must authorise the level of access required and submit that authorisation to Information and Communications Technology or Asset Owner.

The staff member applying for additional access will:

  1. Submit requests for additional access to the appropriate Dean of College or Director (in the format required by the College or Directorate) for authorisation; and
  2. Submit the authorised request to the ICT Help Desk.

The Dean of College or Directorate will:

  1. Decide whether to authorise the additional access in accordance with University policies and procedures.

    Information and Communications Technology will:

  2. Maintain a register of authorised College/Directorate Representatives;
  3. Validate and allocate additional access; and
  4. Where Information and Communications Technology is unable to allocate access, they will notify the relevant Asset Owner.

7. Requesting generic accounts

Generic Accounts are manually created by Information and Communications Technology from time to time to meet the University's operational needs.  Generic Accounts are not permitted for access to student, financial or personal identifiable information.

The staff member will:

  1. Submit the request for Generic Account(s) to the appropriate Dean of College or Director (in the format required by the College or Directorate).

    The Dean of College or Director will:

  2. Decide whether to approve the Generic Account(s) and access in accordance with applicable  University policies and procedures; and
  3. If approved, forward the request to the ICT Help Desk.

Information and Communications Technology will:

  1. Create the Generic Account and notify the owner of the account of the account details; and
  2. Manually delete the Generic Account upon expiry, or at the request of the person responsible for the Generic Account.

8. Passwords

Authorised Users must:

  1. Select passwords that comply with the University password requirements;
  2. Change their passwords at regular intervals; and
  3. Maintain security of their password.

Information and Communications Technology will:

  1. Implement a baseline tiered password policy based on user group, as defined in Table 1 below.

Table 1 – Password Requirements

Requirement

User Group

Undergraduate, Postgraduate and Research Students

Staff, Generic, Delegate and External Accounts

ICT Staff Secondary Administrative  /Domain Accounts

Service Accounts (e.g. application to database)

System Accounts (e.g. root in Linux)

Null passwords

Not Allowed

Not Allowed

Not Allowed

Not Allowed

Not Allowed

Minimum length

8 characters

8 characters

15 characters

16 characters

20 characters

Maximum length

System maximum

System maximum

System maximum

System maximum

System maximum

Repeating characters (AAA) of adjoining characters (ABC)

Not allowed

Not allowed

Not allowed

Not allowed

Not allowed

Complexity

(8-14 characters)

Contain at least 1 number (0 - 9), 1 uppercase character (A - Z) and 1 lowercase character (a - z)

Contain at least 1 number (0 - 9), 1 uppercase character (A - Z) and 1 lowercase character (a - z)

NA

NA

NA

Complexity

(15 or more characters)

Contain 1 number (0 - 9) or 1 uppercase character (A - Z) or 1 lowercase character (a - z)

Contain 1 number (0 - 9) or 1 uppercase character (A - Z) or 1 lowercase character (a - z)

Contain 1 number (0 - 9) or 1 uppercase character (A - Z) or 1 lowercase character (a - z)

Contain 1 number (0 - 9) or 1 uppercase character (A - Z) or 1 lowercase character (a - z)

Contain 1 number (0 - 9) or 1 uppercase character (A - Z) or 1 lowercase character (a - z)

Password change (8-14 characters)

365 days

365 days

365 days

As required.

180 days (or upon departure of ICT staff with knowledge of the password)

Password change (15 or more characters)

No change

No change

365 days

As required.

180 days (or upon departure of ICT staff with knowledge of the password)

Account lockout after nominated unsuccessful attempts

Yes

Yes

Yes

Recommended

Recommended

Stored in encrypted format

Yes

Yes

Yes

Yes

Yes

Where systems do not support the above requirements, Information and Communications Technology will:

  1. Identify the system and conduct a risk assessment on the proposed solution to identify mitigating controls; and
  2. Implement the mitigating controls or make recommendations to the Asset Owner.

Administrative staff responsible for the Research DMZ will:

  1. Implement and maintain security guidelines for the Research DMZ; and
  2. Comply with the above password policy. Where compliance with the above password policy is not feasible, implement mitigating controls based on the results of a risk assessment.

9. Resetting forgotten passwords

Authorised Users who have forgotten the password for their Account must:

  1. Submit a request for password changes to the ICT Help Desk; or
  2. Submit a request in person to Library InfoHelp or;
  3. Use JCU’s password reset functionality (where available).

Information and Communications Technology will maintain a manual password reset process. Information and Communications Technology will:

  1. Send an email to the Authorised User’s alternative contact method (e.g. email) requesting the following information:
    • Full name
    • University staff/student number
    • Term address/home address
    • Division or College of employment/study
    • Date of birth
  2. Confirm the Authorised User’s identity and provide a one-time password to the Authorised User’s pre-registered contact details to be changed on first login.

Library InfoHelp Staff will:

  1. Confirm the Authorised User’s identity using:
    • University Staff or Student Card; or
    • Other suitable form of photo identification.
  2. Confirm that the Authorised User’s account is still active; and
  3. Provide the Authorised User with the ability to enter a new password in-person.

10. Modification of staff access when their relationship with the University changes.

The relevant Dean of College or Director must:

  • Notify Human Resources of any change in the relationship between a staff member and the University that might affect the staff member’s entitlement to University ICT Services.

The Director, Human Resources will:

  • Ensure that the appropriate position changes are made in the HRIMS system. The system will send a message to Information and Communications Technology notifying of the change.

Information and Communications Technology will:

  • Modify the staff members’ access to University ICT Services by following any standard modification processes which may be in place. This process will be automated where possible.

11. Modification of student access when their relationship with the University changes.

Student Services must record the individual status and progression of students within the University:

The Director, Student Services will:

  • Ensure that the appropriate status changes are made in the Student Management Information System (SMIS). The system will send a message to Information and Communications Technology notifying of the change.

Information and Communications Technology will:

  • Modify the student’s access to University ICT Services by following any standard modification processes which may be in place. This process will be automated where possible.

12. Additional requirements for Information and Communications Technology staff

Staff working in Information and Communications Technology who are enrolled in University courses or programs will not usually be granted access to University ICT Services where that access enables them to change their or others' academic results.

The Director, Information and Communications Technology, must:

  1. Maintain oversight of those staff who may also be registered as students of the University and ensure that access controls are sufficient to ensure that Information and Communications Technology staff cannot modify student related records; and
  2. Implement processes (e.g. supervision) to ensure that Information and Communications Technology staff members do not modify academic results or material. Information and Communications Technology staff members will not:
    1. view course material for any course, before that material is made available for viewing by students enrolled in the course, unless they have written permission from the staff member, lecturer, tutor, teacher or instructor who prepared the material, or from the course coordinator or relevant Dean of College;
    2. take any action that would result in them or any other person gaining an academic advantage over other students;
    3. access any personal, academic or confidential information about anyone else unless required in the course of their University duties; or
    4. perform any other action that is inappropriate for or unauthorised by their position or duties.

13. Access reviews

Asset Owners are responsible for reviewing system access and must:

  • Review access on a periodic basis and must promptly revoke all privileges no longer required by Authorised Users.
    • All special or privileged access to systems (such as administrative or supervisor Accounts, or staff working in Information and Communications Technology who are enrolled in University courses or programs) must be reviewed every 6 months.
    • All Authorised User access must be reviewed at regular intervals not exceeding 12 months including when they change roles, in order to maintain effective access control and to prevent access creep.

Information and Communications Technology will:

  • Provide Asset Owners with the appropriate reports to review current access.

14. Suspending accounts

The Director, Information and Communication Technology, Director, Student Services or the Director, Human Resources may authorise suspensions of Accounts under certain conditions. Situations under which suspension of Accounts would be considered include (but are not limited to):

  • Threats to the University ICT Services; or
  • Inappropriate use of University ICT Services, systems or software.

15. Disabling and deletion of student accounts

Where a student's relationship with the University ends (e.g. by way of completion of course, discontinuance, lapse, withdrawal or expulsion), the Director, Student Services will:

  • Make the appropriate changes in the Student Management Information System (SMIS) to reflect their end date.

Students who do not accept an offer to study at the University, or fail to enroll, will be routinely deleted from the system by Student Services. The SMIS will send a message to Information and Communications Technology notifying of the change.

Information and Communications Technology will:

  • as per the following schedule:
  • Table 2 – Account Removal Timeline - Student

Relationship

Date at which access is disabled

Students – completed / graduated

180 days after completion date

Students – withdrawal

1 day after date of withdrawal

Students – lapsed

1 day after date of lapse

  • Notify students whose Accounts are scheduled to be disabled by sending an email up to 30 days before the disable date. Students who will continue to have a relationship with the University after this date will be advised in that email of the process they must follow to retain their Accounts and appropriate access. No notification will be sent for deceased Student members.  Students who have completed their course (i.e. alumni) with be provided with access to a University email account as determined by Student Services.

16. Disabling and deletion of staff accounts

If a staff member's relationship with the University ends (e.g. retirement, resignation, termination or end of contract), the relevant Dean of College or Director must:

  • Notify Human Resources.

The Director, Human Resources will:

  • Ensure that the appropriate changes are made in the Human Resources system to reflect the staff member’s end date; and
  • Ensure relevant parties (including Asset Owners, Campus Security and Information and Communications Technology) are notified of the staff member's change in relationship with the University.

Asset Owners will:

  • Remove privileged access from the staff member’s Account.

Information and Communications Technology will:

  • Remove privileged access from the staff members Account (where this is associated with a predefined system security group);
  • Disable the staff member’s Account and access to University ICT Services as per the following schedule:

Table 3 – Account Removal Timeline - Staff

Relationship

Date at which access disabled

Method

Staff/student Privileged Accounts

End of last day of employment.

Manual process

Academic and Administrative Staff members – continuing (permanent) - resignation

End of last day of employment.

Automated trigger from Human Resources System

Academic and Administrative Staff members termination or dismissal

Last day of employment

Automated trigger from Human Resources System

Academic and Administrative Staff members – fixed term contract

Last day of employment

Automated trigger from Human Resources System

Academic and Administrative Staff members – casual

180 days after the date of end of casual contract or upon advice from Human Resources.

Automated trigger from Human Resources System

  • Notify staff members whose Accounts are scheduled to be disabled by sending an email up to 30 days before the disable date. Staff members who will continue to have a relationship with the University after this date will be advised in that email of the process they must follow to retain their Accounts and appropriate access. No notification will be sent for deceased staff members.

Staff members who have multiple relationships with the University (such as an account holder who is both student and staff member) who cease only one of their relationships will only have the access related to the terminating relationship removed.

17. Disabling and deletion of delegate and external accounts

Owners of Delegate and external Accounts must:

  • Notify Information and Communications Technology when the Account is no longer required.

Information and Communications Technology will:

  • Remove privileged access from the Delegate or external Account (where this is associated with a Security Group); and
  • Disable the Delegate or external Account and access to University ICT Services.

18. Records management

Subject to the provisions of the Intellectual Property Policy, all records created by staff account holders in the course of their University duties are records, regardless of the form and technology used to generate them. These records are the property of the University and subject to its control, and they may be official records covered by the relevant state legislation.

Electronic documents, such as emails, are subject to the same requirements as hardcopy records and must be captured in accordance with the University's Record Management Policy.

The Records Management team within James Cook University have the delegated responsibility of ensuring all University public records are created, maintained, preserved and destroyed in accordance with both the University’s Retention and Disposal Schedule (RDS) and the General Retention and Disposal Schedule for Administrative Records (GRDS).

All staff members and their supervisors must:

  1. Ensure that all records are stored in  the University's record management system(s), or
  2. Transferred to the University’s Records Management Team for storage, maintenance, preservation and destruction in the University’s record management system.

Where staff members are unable to ensure that the procedure in point 1) or 2) above is complied with before they leave the University (for instance, due to illness or death), the relevant supervisor of that staff member may request that the Director, Information Communications and Technology authorise another University staff member to view and deal with the records associated with the Account before it is disabled and deleted.

19. Contacts

For further information, please contact:

20. Related policy instruments

JCU ICT Acceptable Use Policy and Procedures

JCU Code of Conduct

JCU Code of Conduct Explanatory Statement

JCU Student Conduct Policy

JCU Code for the Responsible Conduct of Research

JCU Intellectual Property Policy

JCU Information Security Policy

JCU Risk Management Policy

JCU Records Management Policy

JCU Code of Conduct – University Council

TropEco Disposal Guidelines

JCU GATCF Lab Conditions of Use

JCU Software Supplier Agreements & Offers

JCU ICT Secure IT

JCU ICT Lease Privilege Guidelines

21. Related legislation

Queensland Australia

James Cook University Act 1997 (QLD)

Information Privacy Act 2009 (QLD)

Public Records Act 2002 (QLD)

Telecommunications Interception Act 2009 (QLD)

Queensland Right to Information Act 2009 (QLD)

Commonwealth Australia

Crimes Act 1914 (Cth Australia)

Cybercrime Act 2001 (Cth Australia)

Copyright Act 1968 (Cth Australia)

SPAM Act 2003 (Cth Australia)

Telecommunications (Interception And Access) Act 1979 (Cth Australia)

Singapore

The Computer Misuse and Cyber security Act (Cap 50A) (Singapore)

Copyright Act (Cap 63) (Singapore)

SPAM Control Act (Cap 311A) (Singapore)

Undesirable Publications Act (Cap 338) (Singapore)

22. Administration

NOTE: Printed copies of this policy are uncontrolled, and currency can only be assured at the time of printing.

Approval Details

Policy Sponsor

Deputy Vice Chancellor, Services and Resources

Version no

2017-1

Date for next Major Review

08/02/2020

Revision History

NOTE: A minor amendment will not result in a change of the next major review date.

Approval date - the date the Policy Sponsor approved the establishment, minor or major amendment or disestablishment

Implementation Date - the date the procedure was published in the Policy Library and is the date the procedure takes effect

Version

Approval date

Implementation date

Details

Author

2017-1

08/02/201709/02/2017

Procedure established

Information and Communications Technology

Keywords

Keywords

Access control, generic accounts, delegate accounts, password, generic accounts, external accounts, access review